TSPY_ZBOT.LWA

October 09, 2012

Analysis by: Erika Bianca Mendoza

PLATFORM:

Windows 2000, Windows, XP, Windows Server 2003

OVERALL RISK RATING:

REPORTED INFECTION:

SYSTEM IMPACT RATING:

INFORMATION EXPOSURE:

Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes

OVERVIEW

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

As of this writing, the said sites are inaccessible.

TECHNICAL DETAILS

File Size: 204,800 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 30 Nov 2011

Arrival Details

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This spyware drops the following files:

%Application Data%\{random2}\{random}.{random ext}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

%Application Data%\{random1}\{random}.exe

It creates the following folders:

%Application Data%\{random1}
%Application Data%\{random2}

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%Application Data%\{random1}\{random}.exe"

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
{random}
{random} = "{hex values}"

It adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
{random}

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\0
1609 = "0"